package day11.gec.preparestatement;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;

public class PrepareStatementLogin2 {
	public static void main(String[] args) {
		String name = "xx";
		//String password = "123";
		
		String password = "' or '1'='1";//恒等式  1=1 2=2 3=3
		//String sql = "select * from t_user where name = '" + name + "' and password = '" + password + "'";
		
		
		String sql = "select * from t_user where name = ? and password = ?";
		
		try(
			Connection conn = DriverManager.getConnection("jdbc:mysql:///hrm", "root", "root");
			PreparedStatement st = conn.prepareStatement(sql);
			) {
			//给问号设置值
			st.setString(1, name);
			st.setString(2, password);
			
			//查询时不需要带参数
			ResultSet rs = st.executeQuery();
			//statement : sql:select * from t_user where name = 'xx' and password = '' or '1'='1'
			//prestatement:   select * from t_user where name = 'xx' and password = '\' or \'1\'=\'1'
			System.out.println("sql:" + st);
			while(rs.next()) {
				System.out.println(rs.getInt("id") + ":" + rs.getString("name") + ":" + rs.getString("password"));
			}
		} catch (Exception e) {
			e.printStackTrace();
		}
			
	}
}
